Security News

For those of you who have been coming to the Social-Engineering Capture the Flag (SECTF) at DEF CON for the past 4 years, you might already know that we try to hold one of the most popular contests around full of Social Engineering Awesomeness. But we also try to make sure there are some presentations and other events in the SECTF room to inform and entertain.

In previous years, we have had notable social engineers like Kevin Mitnick give presentations and demos. Last year we culminated our little mini-SE-CON with Kevin Mitnick, Sharon Conheady and the Director of the NSA, General Keith Alexander.

What can we do to keep the energy going and make the SECTF even more awesomer than ever before?

Enter the Apollo

Have you heard of a guy who can literally steal the watch off your wrist and phone out of your pocket without you knowing? If you haven’t, you are going to want to get up on your Apollo Robbins videos.

This year the Social-Engineer Team has invited Apollo Robbins in to the SECTF room to do a little show and be part of our podcast. Ok, are you as excited as us?

Well, here is the deal; last year when we had our good friend Kevin Mitnick in, the goons made us lock the doors (thank you DEF CON Goons for keeping us safe) once the room was beyond capacity. This year we are sure this is going to happen again – so if you want a seat at this one-time event, get to the SECTF room early.

Now, you know we want you all there all weekend. Calls start on Friday AM, continuing through Saturday AM, and then Sunday Apollo and the SEORG Crew take the stage and put on one of the most Memorable Podcasts Ever!!

Join us for PaulDotCom Security Weekly Episode 337. With guest Matt Bergin, age twenty four, works for CORE Security as a Security Consultant where his day job consists of discovering, exploiting, and mitigating vulnerabilities in their client's network environments. Also, for our tech segment we are joined by Mike Murray and Kati Rodzon from MAD Security. Katrina Rodzon is a behavioral scientist for MAD Security. Her last 9 years have been spent studying psychology and ways to modify and study human behavior. Mike Murray has spent more than a decade helping companies to protect their information by understanding their vulnerability posture from the perspective of an attacker. They are going to be talking about "Social Engineering War Stories".

Sit back and enjoy the show live or participate in the live chat on our Ustream channel:

In this episode we talk about the insider. Because right now, there is nothing more important for you to detect. Why? Because you could have an insider. You could also have a compromised user account. From a detection standpoint, they would be indistinguishable.

Here at Social-Engineer we delve into everything to find the social engineering angle…. Yes, I mean everything. For your reading pleasure we have taken SE to a new height this month.

Over the past few years there have been some apartment complexes in the U.S. and Europe that have used DNA testing and social engineering to identify dog poop left unattended by the pet’s owners. Tenants are required to register their pet’s DNA with the apartment management in order to identify offenders. Fines can then be levied against guilty tenants once the DNA match has been confirmed.

Recently, in Brunete, Spain, a team of volunteers spotted the guilty parties in the act. They then use “social engineering” skills and struck up a friendly conversation with the owners to learn the name of the pet. With that info, the owners could be identified from the city registry and the waste was mailed back to the owners. Officials said the offenses have since fallen by 70 percent.

This idea has been discussed for years by local governments and property owners as a way to deter these kinds of misdeeds. We would like to use this latest example in making a larger point about the nature of data. It isn’t typical for people to think of a pile of dog poop as a source of social engineering information. (A fact that would have served the offenders in Brunete to consider.)

Perspective and creativity are critical to human adaptation. We know from experience, and biology class, that the most adaptive organisms are the organisms that survive and thrive over time. The ability to shift perspective, explore our perceptions and yield creative solutions to problems are some of humanity’s greatest strengths and capabilities. To be a better thinker and therefore more adaptive are useful sets of skills.

Critical Thinking for Social Engineering Skills

Functional Fixedness is a cognitive psychology concept in which a person finds it difficult to think of creative uses for an object aside from its traditional use. A typical functional fixedness exercise requires participants to solve the following problem:

Two strings that are long enough to be tied together hang from hooks on either side of a ceiling. The strings are hung far enough apart that you cannot reach one without holding the other. With a box of nails, matches and a hammer at your disposal how can you manage to hold both strings at the same time so that you may tie them together?

Exercises such as this are useful for strengthening your creativity and opening your mind up to different perspectives in problem solving. Something we call – Critical Thinking. As a social engineer is it important to continually develop the ability to be creative and to expand your capacity to adapt to any situation. This is applicable for the highly technical as well as agents who largely operate in the physical realm. Critical thinking leads to better execution.

And as the residents of Brunete who failed to clean up after their pets learned, it is important to protect your information. All of it.

Disclaimer

The views expressed on this site are my own and do not reflect those of my current employer or its clients. This "work" has been done in my free time and therefore it's not related to my current company in any way.

Potential intruders are in what military strategists call "the position of the interior": the defender has to defend against every possible attack, while the attacker has to find only one weakness.
Bruce Schneier (01-05-2001)